Sensitive Data Policies for Qualtrics Surveys

Introduction

Qualtrics is GDPR (General Data Protection Regulation) compliant and provides technology that enables users to be GDPR-compliant. However, the survey creators are ultimately responsible for the security of the data collected and the compliance with GDPR and ISU Data Security and Management Policies. This article provides some best practices in sensitive data collection using Qualtrics survey. 

Estimated Time to Complete

Reviewing this guide will take no more than 15 minutes.

Vocabulary

Term Definition
PROJECT / SURVEY PROJECT A Qualtrics survey.
PUBLIC RESULT DASHBOARD Dashboard that shows Qualtrics survey results to people without Qualtrics account.
SENSITIVE DATA POLICY

A data compliance assist tool in Qualtrics to help you identify survey questions that may collect sensitive data. The following information are categorized as "sensitive data" in Qualtrics sensitive data policy:

  • Credit card or debit card -- A credit card number is 12 to 19 digits long. They are used for payment transactions globally.
  • USA Social Security Number -- A United States Social Security number (SSN) is a 9-digit number issued to US citizens, permanent residents, and temporary residents. The Social Security number has effectively become the United States national identification number. Nine digits in a row, with or without dashes: 123456789, 123-45-6789.
  • USA Tax ID -- A United States Individual Taxpayer Identification Number (ITIN) is a type of Tax Identification Number (TIN), issued by the Internal Revenue Service (IRS). An ITIN is a tax processing number only available for certain nonresident and resident aliens, their spouses, and dependents who cannot get a Social Security Number (SSN).
ISU Data Policies https://indianastate.edu/policy-library/data-security-and-management
REDACT DATA Removal of certain pieces of information from sensitive data to keep data safe.

Best Practices

As a general rule, one should minimize personal data collection while using Qualtrics as a survey platform. This knowledge base article provides best practices of how to protect your survey data and minimize sensitive data collection within Qualtrics.

  1. Avoid Collecting Sensitive Data: To help users identify the potential of collecting sensitive data, OIT has enabled Sensitive Data Policy,  a data compliance assist tool in Qualtrics, to flag sensitive data. When you create a survey, you may use Qualtrics’s ExpertReview to check whether your survey question requests sensitive data.
  2. Use ExpertReview: If possible, avoid asking for sensitive information like Social Security Numbers. Qualtrics' ExpertReview will flag such questions to help you comply with privacy standards.
    2.1 You may apply the ExpertReview yourself during survey creation. Here is the link to ExpertReview Instructions: Qualtrics ExpertReview Functionality
    2.2 When you publish the survey, the ExpertReview will be applied automatically. We strongly recommend that you review the recommendations created by ExpertReview.

     
  3. Sensitive Data Collected: If sensitive data is collected and you need assistance to redact or delete them, please contact OIT by submitting a ticket for Qualtrics Account Modification Service. By default, collected information will not be redacted.
  4. Exclude Sensitive Data from Automated Email: Some examples of automated email in Qualtrics include but are not limited to: Distributing survey using mailing list; Sending feedback email after a respondent submits the survey. Make sure to exclude sensitive data from those automated emails.
  5. Sending Respondents a Copy of Their Survey: Sometimes you may wish to send a copy of the survey responses to the respondents, such as when your survey is an application form. Take extra precaution when your survey collects sensitive data and sends an automated email back to the respondent with their response and do not select “Include Response Report” option. Please refer to the Qualtrics tutorial about Response Report in Email Task.
  6. Public Results Dashboards: Ensure that public dashboards do not contain sensitive information such as personally identifiable information.

Share Survey Data

When you create a survey that collects ISU ID number, which is a 9-digit number that has the same length as the social security number, your collaborator might be blocked from seeing the ISU ID in the survey responses. In such a case, please make sure that you select "View Restricted Data" for your collaborator.

Conclusion

By following these best practices, you can help protect the privacy and security of your respondents' sensitive information. Should you need any further assistance, please contact Qualtrics Support for consultation. Here is the instruction on How to Contact Qualtrics Support.

Print Article

Related Articles (3)

Qualtrics provides general technical support for users. This article includes the instructions on how to contact Qualtrics Support directly.
This article provides instructions on Qualtrics Single Sign-On from ISU Portal and how to obtain a new account.
Instructions on how to request an account, create a simple survey, and review reports.

Related Services / Offerings (1)

Requests for account modifications (i.e. - changing the Qualtrics account username, changing from self-registered to ISU brand database accounts, altering groups, transferring surveys, and more).